Windows 10 Version 1607 driver signing changes

Microsoft announced recently that the upcoming version 1607 of Windows 10, known as the Anniversary Update, will only load kernel mode drivers that are digitally signed by Microsoft.

The change won't affect all systems however the company notes, as only new installations are affected in the beginning.

Starting with new installations of Windows 10, version 1607, the previously defined driver signing rules will be enforced by the Operating System, and Windows 10, version 1607 will not load any new kernel mode drivers which are not signed by the Dev Portal.

The list of exceptions to the new policy is long. Below is the most important information in regards to the new kernel mode drivers policy:

  1. PCs upgraded to Windows 10 Build 1607 from a previous version of Windows (for instance Windows 10 version 1511) are not affected by the change.
  2. PCs without Secure Boot functionality, or Secure Boot off, are not affected either.
  3. All drivers signed with cross-signing certificates that were issued prior to July 29, 2015 will continue to work.
  4. Boot drivers won't be blocked to prevent systems from failing to boot. They will be removed by the Program Compatibility Assistant however.
  5. The change affects only Windows 10 Version 1607. All previous versions of Windows are not affected.

Microsoft notes that the change is done to make Windows more secure for end-users.

We’re making these changes to help make Windows more secure. These changes limit the risk of an end-user system being compromised by malicious driver software.

While the company states that certain setups won't be affected by the change, it appears that at least some of these exceptions will only be temporary.

Read also:  How to disable Fast User Switching on Windows

As mentioned previously, boot drivers won't be blocked outright according to Microsoft. The company states however that Windows will eventually block boot drivers.



Microsoft mentions further that it "starts with" new installations of Windows 10 which suggests that it plans to remove some or even all of the exceptions in the future.

Impact

driver radar pro interface

Kernel mode drivers are used by various programs on Windows. The list includes various security and backup programs, or VPN applications to name a few.

Any kernel mode driver not signed by Microsoft won't run anymore on new installations of Windows provided that the exceptions listed above don't apply.

This in turn makes the program non-functioning that relies on the driver.

While Windows 10 users may be affected by the change, so are developers. Companies may have enough funds to get the required certificates to get their drivers signed by Microsoft, but the same may not be true for hobby programmers or one-man teams.

The move will limit malicious kernel mode drivers on the other hand as well.

Now You: What is your take on the change?

Summary
Article Name
Windows 10 Version 1607 driver signing changes
Description
Microsoft announced recently that the upcoming version 1607 of Windows 10, known as the Anniversary Update, will only load kernel mode drivers that are digitally signed by Microsoft.
Author
Publisher
Ghacks Technology News
Logo

Please share this article

Facebooktwittergoogle_plusredditlinkedinmail


Filed under:


Responses to Windows 10 Version 1607 driver signing changes

  1. Yuliya July 28, 2016 at 2:16 pm #

    "PCs without Secure Boot functionality, or Secure Boot off, are not affected either."
    More like "Restrict my access to my computer" feature. Any sane person figured out by now that they should disable this anyway. Assuming their sanity is still present after they figured this out. Few years ago, after a couple of hours of constant failure attempts and cursing while trying to install 7 on a laptop that came with 8, I found about that option on the internet. Just disable it.

    • Tim July 28, 2016 at 3:23 pm #

      @Yuliya said "Any sane person figured out by now that they should disable this [Secure Boot] anyway"

      Uhm, no.

      • Yuliya July 28, 2016 at 7:23 pm #

        Uhm, yes.

      • Zoey Barkow July 28, 2016 at 9:07 pm #

        we only disable this to do imaging and after it's all setup and ready to deploy to user it gets enabled. we don't like our users mucking up things, they just need to do their work and not install crap. we've already installed all the crap they need to do their jobs and just maybe they get paid for working.

    • Tom Lake July 29, 2016 at 7:35 pm #

      That's only true if it's your personal system. Any computer on a corporate network better have it on or there'll be hell to pay when the system is compromised.

    • Matt January 12, 2017 at 1:51 am #

      If you're an IT Professional, God help any company you work for. While you're at it why don't you disable antivirus because it slows down your computer or turn off UAC because the prompts are "annoying". Moron.

  2. RM July 28, 2016 at 2:23 pm #

    I like it. With the open environment that is Windows, you have to keep it secured it ways that a closed environment does not need to be. This adds to the many reasons PC sales are going to increase again.

    • Tim July 28, 2016 at 4:48 pm #

      Yup. As it is there's nothing stopping malicious actors from using ill-gotten private keys to sign kernel-mode malware, which would give them the ability to silently have free reign of the entire system, including bypassing security mechanisms in place. The users would be completely unaware as the malware would be running with the highest level of permissions on the machine possible, Ring 0, I.E. With the same or higher permissions than any security software they have installed to protect them. That means malware would have the ability to bypass those mechanisms and remain unnoticed and undetected covering it's tracks doing pretty much anything it wants to do.

      So, I welcome the move. I read this as an additional layer of protection due to signed kernel-mode malware becoming more prevalent.

      • Captain Obvious August 16, 2016 at 10:49 pm #

        If a malicious actor can install a driver he already has all the privileges he needs to "have free reign of the entire system".

    • ilev July 30, 2016 at 6:44 pm #

      "PC sales are going to increase again"

      PC sales are never going to increase again, not after the "boost in sales" of Windows 10 fiasco.

  3. confused July 28, 2016 at 2:40 pm #

    I don't understand.. Can I still use some chinese gamepad even if the driver does not have Microsoft sign?

  4. Kin July 28, 2016 at 3:17 pm #

    Woaw, does that mean that VPN clients, that are often based on OpenVPN, will probably not work on new OS install?

    • "Free Upgrade" July 28, 2016 at 10:25 pm #

      Don't enable secure boot.

  5. Maelish July 28, 2016 at 4:50 pm #

    What is the best way to find out if you are using kernel mode drivers that won't pass muster?

  6. CHEF-KOCH July 28, 2016 at 5:52 pm #

    HitMan pro and IDM pro (as time of writing are affected) just enable secure boot and then just try to install it and you will get the 'can't install necessary driver' popup. But Bcdedit.exe -set TESTSIGNING OFF still does the trick (but you need now to turn secure boot off for this). Sadly it's not like 7 anymore if you re-enable it after the driver are been sucessfully installed then it blocks it again after the reboot. So you have that annoying watermark (of course you can disable it) but overall I hope we will get updates asap for this, because the security aspect is broken with such 'workarounds'.

    Thanks for the above mentioned trick, will try it. :)

  7. A or B, not C. July 31, 2016 at 8:25 am #

    Will M$ abuse this "new feature" of Win 10 1607 to eliminate competition to their own Windows Defender AV, Bing search, Edge browser, inbuilt back-up/disk-cleanup/defrag programs, Windows games, etc, ... similar to the Windows Store being likely abused by M$ to limit the installation of some 3rd-party software.

    Do Win 10 cptrs belong to the users or to M$.?
    .......Bear in mind that M$ may trigger any change they wish wrt this "new feature". Seems M$ r treating all their customers as Dummies n need to be protected from themselves, .......similar to the patronizing liberals of the Nanny Blue States.

  8. dave smith August 1, 2016 at 3:10 pm #

    Solution: switch to Linux. Worked for me :)

  9. William August 6, 2016 at 6:58 pm #

    I had to restore back to version 1511 as my Wi-Fi was going on/off.
    I like some of the new up dates, but this was only the laptop that Microsoft update to ver 1607.
    The restore took less then 5 minutes.

  10. Lilli G August 8, 2016 at 4:36 pm #

    Yea... but again, good-bye Secure Boot.

  11. Cop This! September 23, 2016 at 9:40 pm #

    I reset my laptop after the 1607 update as I was having some weird problems occurring. I tried to install Comodo firewall after the Reset again, but Program Compatability Assistant said its drivers aren't digitally signed, hence blocking them and not allowing internet traffic through the Comodo Firewall even though the installation goes ahead.

    Googled it and tried a few things including disabling the Program Compatability Assistant service and turning off the digital driver checking in troubleshooter at bootup. Both didn't work. Contacted Comodo help and they said they could fix it but I would have to pay for the GeekBuddy licence.

    Going to try this tomorrow as a final attempt on my laptop at work. The 1607 update to Windows 10 I think has caused this I believe. See link about it below....

    https://blogs.msdn.microsoft.com/windows_hardware_certification/2016/07/26/driver-signing-changes-in-windows-10-version-1607/

    https://blogs.msdn.microsoft.com/windows_hardware_certification/2016/07/26/driver-signing-changes-in-windows-10-version-1607/

  12. Ken September 23, 2016 at 9:46 pm #

    I reset Windows 10 on my laptop after the 1607 update as I was having some weird problems occurring. I tried to install Comodo firewall again after the Reset, but Program Compatability Assistant said its drivers aren't digitally signed, hence blocking them and not allowing internet traffic through the Comodo Firewall even though the installation goes ahead.

    Googled it and tried a few things including disabling the Program Compatability Assistant service and turning off the digital driver checking in troubleshooter at bootup. Both didn't work.

    Going to try this 'Secure Boot Off' tomorrow as a final attempt on my laptop at work. Will let you know if successful.

    Driver signing changes link:-
    https://blogs.msdn.microsoft.com/windows_hardware_certification/2016/07/26/driver-signing-changes-in-windows-10-version-1607/

    • Ken September 24, 2016 at 9:55 am #

      IT WORKED! Comodo Firewall now installs and works as before.
      Thank you for the tip.

Leave a Reply